When a federated user or a conference is involved, the media is sent through TCP via the AVMCU on the edge server. So the issue seems to be with the outbound TCP 50000-59999 port range traversing the firewall.

The call fails with the following reason in the BYE:

Ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote"

TCP NAT connectivity failed
This flag is expected. If local-to-local connectivity succeeded, the TCP NAT connectivity check may not have been tried. Or there is no direct TCP connection possible.
TCP NAT connectivity failing may result in an ICE protocol failure.

Another clue pointing to the TCP media port range.

We also saw a lot of TCP retransmits when doing packet tracing, the edge server was not happy with the TCP connection when trying to set up the desktop sharing session.

What we realised fairly early was that all customers reporting this was running Palo Alto firewalls, which tries to look at what kind of application the traffic is in stead of the traditional just looking at port numbers.

After quite a bit of troubleshooting – everything was set up by the book, nothing seemed to be wrong other than the media failing – we were able to make a case with Palo Alto support, and it eventually turned out to be a bug in the Palo Alto software that doesn’t recognize the desktop sharing session as that, but tries to decrypt the session – even if no decryption is configured anywhere else on the firewall. The bug was as far as we can tell introduced in version 6.1.3, and has been reported fixed in an upcoming version 7.0.3. PAN support gave this workaround:

I’ve been working quite a bit with Acano lately and because of that I have started looking in to the management API that they provide on their Server. This API is exposed as XML through HTTPS, so I thought that it should be quite possible to write some PowerShell functions that accessed parts of the API. These have evolved in to what I now release as version 0.1 of the PsAcano PowerShell implementation of the Acano API.

Currently only the GET commands are implemented, so it is only possible to view information at the moment – not edit or create anything. The functionality provided by the POST, PUT and DELETE commands will be implemented in the coming days and weeks.

Last weekend Knowledge Factory had our kick off in beautiful Vaxholm outside of Stockholm. There we were treated to an extremely inspiring session by Simon Wåhlin (http://blog.simonw.se/) about PowerShell and GIT. A big thank you to Simon for finally kicking me into doing source control on my scripts 😀

I’ve set up an account on Github, and from now on my scripts will be available there, and this of course also applies to PsAcano.

If you don’t want to visit the repository page on github, you can download the module here. Installation instructions can be found in the Readme.md file. Feedback is welcome as issues on github or comments on this blogpost.